Extending the CIS security controls
The Center for Internet Security has long provided helpful free advice on information (or cyber) security, including a "prioritized list of 20 best practice security controls" addressing commonplace risks.
In the 'organizational controls' group, best practice control 17 recommends "Implement a security awareness and training program". Sounds good, especially when we read what CIS actually means by that:
"It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an enterprise. People fulfill important functions at every stage of system design, implementation, operation, use, and oversight. Examples include: system developers and programmers (who may not understand the opportunity to resolve root cause vulnerabilities early in the system life cycle); IT operations professionals (who may not recognize the security implications of IT artifacts and logs); end users (who may be susceptible to social engineering schemes such as phishing); security analysts (who struggle to keep up with an explosion of new information); and executives and system owners (who struggle to quantify the role that cybersecurity plays in overall operational/mission risk, and have no reasonable way to make relevant investment decisions)."
Recognising that security awareness and training programs should not merely address "end users" (meaning staff or workers in general who use IT) is one of the things that differentiates primitive from basic approaches, extending the program to a broader-based organizational cultural development approach in fact. Well done CIS for pointing that out, although personally I would have offered more explicit guidance rather than emphasizing a "skills gap analysis". For example, having distinguished several audiences, I suggest preparing awareness and training materials on subjects and in formats that suit their respective perspectives and needs. Also, make the awareness and training activities ongoing, close to continuous rather than infrequent or occasional. Those two suggestions, taken together, lift basic security awareness and training programs to the next level - good practice at least, if not best practice.
Anyway, that's just 1 of 20. Similar considerations apply to the other 19 controls: no doubt they can all be embellished and refined or amplified upon by subject matter experts ... which hints at a 21st control: "Actively seek out and consider the advice of experts, ideally experts familiar with your situation" implying the use of consultants or, better still, employing your own information security specialists full-time or part-time as appropriate.
While I'm at it, I'd like to suggest four further controls that are not immediately obvious among the present 20, all relating to management:
22. Information risk management - comprising a suite of activities, strategies, policies, skills, metrics etc. to identify, evaluate and address risks to information systematically and professionally;
23. Management system - a governance arrangement that envelops all aspects of information risk and security management under a coherent structure, ideally covering information risk, information security, governance, compliance, incident management, business continuity and more (e.g. health and safety, since "Our people are our greatest assets"!). Although I'm thinking of ISO27k here, there are in fact several such frameworks. Depending on the organizational or business context, any one of them might be perfect, or it may be better to draw on elements from several in order to assemble a custom arrangement with the help of those experts I mentioned a moment ago;
24. Information risk and security metrics - by focusing attention on and measuring key factors, metrics enable rational management, facilitate continuous improvement and help align information risk and security with business objectives. The advice might usefully expand on how to identify those key factors and how best to measure them, perhaps in the form of a 'measurement system';
25. Information risk and security management strategy - I find it remarkable that strategy features so rarely in this field, given its relevance and importance to the organization. I guess this blind-spot stems partly from weaknesses in other areas, such as awareness, management systems and metrics: if management doesn't really understand this stuff, and lacks the tools to take charge and demonstrate leadership, it's left to flounder about on its own with predictable results. If information risk and security managers, CISOs etc. aren't competent or aware of the value of strategy, maybe it never occurs to them to get into this, especially as standards such as ISO/IEC 27001 barely even hint at it, if at all.Maybe I should suggest these 5 additional controls to CIS? Their website doesn't exactly call out for suggestions so you, dear blog reader, are in the privileged position of advance notice. Take as long as you like to think this over and by all means comment below, email me or prompt CIS to get in touch. Let's talk!
PS Seems I'm not alone in recommending the strategic route. I just spotted this in Ernst & Young's Global Information Security Survey 2018-19:
"More than half of the organizations don’t make the protection of the organization an integral part of their strategy and execution plans ... Cybersecurity needs to be in the DNA of the organization; start by making it an integral part of the business strategy ... Strategic oversight is on the rise. The executive management in 7 of 10 organizations has a comprehensive understanding of cybersecurity or has taken measures to make improvements. This is a huge step forward; put cybersecurity at the heart of corporate strategy ... Cybersecurity must be an ongoing agenda item for all executive and non-executive boards. Look to find ways to encourage the board to be more actively involved in cybersecurity."Whether information risk and security is an integral part of business strategy, or business strategy is an integral part of information risk and security, is a moot point. Either way, they should be closely aligned, each driving and supporting the other. Strong information risk and security is both a business imperative and a business enabler.
As to putting this on the board's agenda, we've been doing precisely that since, oooh, let me see, 2003 ...